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Information systems and data exchange between government institutions are 
growing rapidly around the world, and with it, the threats to information 
within government departments are growing. In recent years, research into 
the development and construction of secure information systems in 
government institutions seems to be very effective. Based on information 
system principles, this study proposes a model for providing and evaluating 
security for all of the departments of government institutions. The 
requirements of any information system begin with the organization's 
surroundings and objectives. Most prior techniques did not take into account 
the organizational component on which the information system runs, despite 
the relevance of this feature in the application of access and control methods 
in terms of security. Based on this, we propose a model for improving 
security for all departments of government institutions by addressing 
security issues early in the system's life cycle, integrating them with 


Security functional elements throughout the life cycle, and focusing on the system's 
organizational aspects. The main security aspects covered are system 
administration, organizational factors, enterprise policy, and awareness and 
cultural aspects. 


This is an open access article under the CC BY-SA license. 


Corresponding Author: 


Haifaa Jassim Muhasin 

Department of Computer Science, Faculty of Education for Pure Science 
College of Education for Pure Science/Ibn Al-Haitham, University of Baghdad 
Baghdad, Iraq 

Email: haifaa.j@ihcoedu.uobaghdad.edu.iq 


1. INTRODUCTION 

The development of information systems infrastructure is critical for improving government work, 
but the main issue is security threats and concerns. These are service and infrastructure concerns, as the loss 
of government data, as well as violations of citizens' privacy and confidentiality, is a major challenge for 
government institutions [1], [2]. The primary goal of the research is to develop and implement a model for 
providing and evaluating information security in organizations. In recent years, government institutions' 
research into the development and construction of secure shas been extremely effective. Some contributions 
focused on integrating security aspects, particularly access control mechanisms, during the implementation 
phase, whereas others focused on identifying and analyzing security requirements [3]. However, there is no 
way to address the entire issue of security requirements and their transformation throughout all stages of an 
information system's life cycle. 

The performance of work in the institution is dependent on important and decisive factors, such as 
availability, efficiency, security, and quality of information, service function, and transparency, all of which 
contribute to improving the institution's performance [4]. The development and increasing use of mobile 
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devices and the Internet to access data in sensitive government institutions makes them an appealing target 
for cybercriminals. As a result, the adoption of advanced technology in institutions typically necessitates 
specialized training and awareness for working people to acquire new skills [5]. However, the 
implementation of information and communication technologies (ICT) in government institutions has created 
numerous challenges, particularly privacy concerns and weaknesses related to the ability to provide citizens 
with access to large amounts of data [6]. There are also concerns about access to enterprise information 
systems and the risk of unauthorized access from within the organization [3]. 

Security is an important aspect of information systems. Where security methods have evolved in a 
manner similar to that of information systems. Security and information systems share goals, means, and 
challenges, so they rely on risk review and analysis to determine acceptable information system protection. 
Interest is growing in methods and models for understanding the security requirements for information 
systems. Through this interest, it appears that information system security methods cannot achieve the 
required results unless they are integrated with methods for developing public information systems [7], [8]. 
The convergence of the two tracks results in the development of clear methods for providing security and 
safety controls for information systems. According to [9], [10], information security issues are considered 
management's responsibility because they affect the company's market position, and this study advises 
organizations to take a more volatile approach to information. Security management entails senior 
management involvement, human resource management, the development and implementation of an 
information security policy, information security awareness and training, and the involvement of strategic 
decision makers [11]. Research by Crowley [12] discusses information system security training and 
educational dynamics. This paper also presents a graduate-level information system security specialization 
developed using this information. The purpose of the paper [13] is to identify and prioritize the main issues 
that local government chief information officers are dealing with, or believe they will be dealing with in the 
near future, in the field of information systems security management. 

A researcher investigated the non-research fields of human resources information system (HRIS) 
and HR Electronic Security in [14]. By outlining the fundamentals of information security and how it relates 
to businesses. Issues concerning the human resources information system and electronic human resources 
security were discussed, and instructions for dealing with these security issues were provided via the research 
form. Concerns about the security of the human resources information system must be addressed because the 
use of the human resources information system, electronic human resources, and similar enterprise systems 
will only increase. The researchers proposed an information security assessment plan in [15], taking into 
account academic institution expectations and related regulatory requirements. The primary goal of this plan 
is to provide an internal assessment and role-based response system, rather than just a checklist of security 
metrics. The proposed scale addresses the specific needs of three types of organizations: small, medium, and 
large. This approach drives iterative implementation and serves as a stepping stone for small businesses to 
protect their valuable information assets. 

The proposed method in [16] enables companies associated with information technology or on 
which it is based to implement information security management system (ISMS) related to them, using 
appropriate standards in this field and some information security management system standards. This method 
aids in the identification of related weaknesses and threats, as well as the assessment of risks and the 
provision of appropriate treatment methods. This method allows large information technology companies to 
establish an information security management system. The goal of [17] is to provide an analytical description 
of methods for analyzing and designing the security of information systems. This research deals with the 
methods by comparing them to the known methods of developing information systems, and in this way it is 
possible to understand the existing techniques for providing secure computing resources, identify the 
methods of developing systems, and learn about new research methods. 

The research study by Sillaber and Ruth [18] aims to validate stakeholder participation in the early 
stages of management process analysis of risks related to information system security, as well as how users' 
awareness of the style and business process model affects the risk management process for information 
system security, particularly the security requirements in terms of number and accuracy. This paper responds 
to requests for user participation in information system security-related processes, as well as validates 
findings from several case studies conducted within the organization under investigation. It is necessary to 
focus on IT governance, which includes leadership, organizational structure, and processes, to ensure that the 
IT organization supports and expands the organizational strategies and goals [19]. In this paper, we will 
present a proposed model for a security information system for a government institution, taking security 
issues into account early in the system's life cycle and integrating these issues with functional aspects 
throughout the system's life cycle. Where the functional requirements are integrated and include social, 
awareness, informational, and organizational aspects. 
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2. METHOD 
There are numerous challenges and obstacles associated with data protection in government 
institutions that must be addressed early in the system life cycle and integrated with the functional aspects of the 
system life cycle stages [6]. It can be classified into the following categories: 
a. Technical issues: these are issues with the organization's infrastructure, security mechanisms, and data 
integrity. 
b. Policy issues: defining and providing services, defining responsibilities, and defining the institution's overall 
policy. 
c. Awareness and cultural challenges: this includes issues such as user distrust, threats to confidential data and 
privacy, and licensing and liability limitations. 
d. Legitimacy: it represents issues associated with network crimes and a lack of information technology laws. 
Every government's primary goal is to provide the best services possible in order to establish efficiency 
and quality of performance [20], [21]. The proposed model for providing enterprise information systems 
security demonstrates that information security is critical and is addressed from the system's inception. Software 
and hardware security, workstation security, personnel and physical issues are all examples of security 
measures. Organizational measures such as data security, procedures, and administrative aspects are also 
critical. The second factor is the institution's policy. The final aspect is related to awareness and culture in terms 
of information security within the organization, as well as spreading security awareness among employees. As 
shown in Figure 1 depicts the information system security factors in the proposed model. The model for data 
protection in government information systems is depicted as shown in Figure 2. 
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Figure 1. Factors of the proposed information systems model 
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Figure 2. The model of data protection in information systems of government institutions 
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2.1. Organizational and administrative factors 

Information Security Management is a management system integrative philosophy for continuously 
improving the quality of information security operations and implementing high-quality information security 
within the organization [22]. All members of the organization (Head of Information Department (HID), IT 
staff, end users) are involved in improving processes related to the quality of information security. To 
achieve these goals, an assessment plan must be designed based on the needs of the organization by defining 
the main responsibilities required for system management, and a reporting approach is used where these 
reports help reduce the time specified for responding to any emergency event where the appropriate 
responsible for planning and implementation participates [23]. Reduced response time is critical for effective 
security management. There are two categories of organizational and administrative factors: 
a. social factors: these include 

— Create and implement a method to ensure the quality of information security within the organization. 
Throughout the information security lifecycle, which includes risk management, process 
measurement, process improvement, and process management. 

— Develop a comprehensive security strategy for technology and operations. An effective, high-quality 
information security program necessitates the use of technology, processes (policy, standards, and 
procedures), and people. 

— Developing training programs to improve information security. Because information security is 
everyone's responsibility, it eliminates barriers between IT and other departments. 

b. administrative factors, such as 

— Managing, developing, and implementing information security methods within the organization. 
Organizations should improve the quality of information security to support the protection of sensitive 
data, employee and customer privacy, and business and business survival objectives. 

— Creating and implementing a mechanism for assessing information security in the organization. The 
development of the evaluation mechanism is dependent on the assessment of the organization's risks. 
The organization must identify critical risk factors and indicate the level of exposure. 

— Controlling internal and external threats. It is the analysis of attack behavior and the provision of 
proactive advice to improve enterprise security. Specify the level of potential exposure. 


2.2. Institution policy factor 

Develop and implement a quality information security policy within the organization through strong 
policies to improve the organization's quality. Policies for information system security are developed, and 
organization members are informed of their responsibilities for protecting their organization's information 
systems. Information system security policies establish the foundation for acquiring, configuring, and 
auditing information systems for policy compliance [11]. 

Official information protection policies include the creation of a specialized information protection 
department, the appointment of a person responsible for information protection (the head of information 
security), and an increase in information protection personnel [24]. The main factors for institutional policy 
are informational and technical factors, which include the following: 

a. Implementation of an effective and high-quality information security program throughout the information 
security system's life cycle. 

b. Internal and external threat risk analysis 

c. A policy that assists in the design and implementation of an effective information security system that 
meets the needs and objectives of the organization. 

The areas concerned with security measures for information system programs are as follows: (organizing the 

user account, managing and generating passwords, managing and controlling access control, using encryption 

methods, organizing and managing security records). 


2.3. Awareness and cultural factors 

Develop information security training and awareness programs. Training and awareness must be 
prioritized for the success of the information security program, especially training the organization's 
information technology staff and users on the security policy. In terms of the procedures and techniques used, 
as well as the various administrative and operational controls required and available to secure the institution 
[25]. Information security and organizational culture are both important factors to consider. At the enterprise 
level, information security is not limited to specific employees; however, it is necessary to create an 
organizational culture that emphasizes the importance of information security and raises enterprise awareness 
[9], [26]. Human factors are the most important for raising awareness and cultural factors, and they include 
the following: 
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a. Creating and implementing a culture of concern for the quality of information system security among the 
institution's employees. 
Raising employee security awareness. 

c. Develop methods for securing the organization's technology, procedures, policies, and people, which are 
the fundamental components of an effective information security program. 

d. Develop training and awareness programs for the institution's employees, particularly those working in 
the field of information systems security. 

The model for data protection in government information systems with factors is depicted in Figure 3. 
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Figure 3. Data protection in information systems of government institutions model with factors 
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Consider the information system for the issuance of graduate documents in the Registration Division 
of a college within the University of Baghdad. We note that all of the factors required to protect information 
in the system from organizational and administrative aspects, as well as the work policy available in the 
Registration Division's information system, particularly data related to degrees and related documents, in 
addition to raising awareness and awareness of workers in this field, are all required. Regarding the security 
aspect of ensuring the integrity of data related to graduates from degrees and personal data that must be 
available to ensure that the information system operates correctly and securely. 

This paper focuses on the process of issuing a graduation certificate for a college graduate. For 
example, the process begins with the applicant completing an electronic form via the form link provided by 
the Registration Division and attaching a copy of the wage payment receipt received from the Accounts 
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Division, which will be delivered later upon review by the Registration Division, as well as delivering 
personal photos with the required documents. The form is reviewed by file staff to ensure that the file is 
complete and that there are no missing documents. The document is then organized by the competent 
employee. When there are missing documents in a student's file, he is notified of their completion via e-mail 
or phone call. After the document has been organized, printed, and signed by the concerned employee, the 
information is checked with the electronic graduate system, and after verifying its authenticity, it is sent to 
the Director of Registration for checking and signing, then to the Assistant Dean for signature, and finally to 
the Dean for signature. Finally, it is returned to the registry to be assigned a number and forwarded to the 
university via letter for certification. 

We can see from the previous steps regarding the issuance of an average document for a college 
graduate that the steps concerning organization and auditing are among the administrative and organizational 
steps concerning graduates, which represent functional factors. The work policy of the Registration Division, 
as well as the measures taken to maintain information confidentiality, are all in accordance with this policy, 
which represents non-functional factors. As shown Figure 4 depicts the processes of the proposed model for 
data protection in issuing graduation certificates. 
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Figure 4. The proposed information system model with factors for issuing graduation certificate 


4. COMPARISON OF RESULTS AND DISCUSSION 

Previous research has focused on integrating security concerns, particularly access control 
mechanisms, during the final implementation stage. Others are more concerned with defining and analyzing 
security requirements. However, based on our review of previous research, we believe that no research has 
been done to effectively address the problem by identifying and specifying security demands and integrating 
them across the life cycle of a system. Research has resulted in a variety of methodologies, but they only 
cover a portion of the system's life cycle. Despite the importance of this aspect in the use and control of 
access methods in terms of safety, the requirements of any information system start from the organization's 
environment and objectives, and in most cases, the organizational aspects on which the information system 
operates are not taken into account. Based on these findings, we presented a model for delivering and 
evaluating security for all government departments and institutions. System administration, organizational 
factors, enterprise policy, awareness, and cultural features are among the most important security topics 
mentioned. Because it considers all functional and non-functional criteria, as well as social and 
organizational elements, the suggested model complements and enhances earlier models provided in the 
literature. Early in the requirements analysis process, safety features are addressed, and this consideration 
continues throughout the design process until implementation. 

The proposed model is intended to protect information systems in government institutions in 
accordance with the institution's requirements, and the basic factors related to the organization and 
management are determined, as well as the basic responsibilities, which is important and necessary to protect 
information, as well as the definition of the institution's policy factors, particularly. Spreading awareness 
among the organization's employees is an important aspect of the proposed model, as it contributes to the 
protection of information and the systems that use it, as well as the development of the basic components of 
information systems represented by procedures related to technology and the institution's policy. These 
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procedures represent important steps to exploit time and determine priorities and roles that contribute to the 
implementation and protection of information systems and reduce the effort and time required to complete 
information security and protect the systems operating on it, as well as the speed of completion of system- 
related reports, which leads to improved management and security organs. 


5. CONCLUSION 

To successfully implement information system security using a variety of factors, apply these factors 
to the use of new information technology services, prepare a strategy and methods for implementing these 
factors with information technology services for each stage of the system, study and improve the institution's 
participation policy, and ensure its resiliency. To ensure the organization's good management, the security of 
the system and the user must be ensured. Because employees require security skills and knowledge of 
information technology, security measures are critical to ensuring that the system operates efficiently. In 
order to improve the security characteristics of information systems in government institutions, this research 
presented an information systems security model and, based on that, suggested the factors affecting 
information system security. The findings of this research will be useful in ensuring reliability and activating 
the use of electronic information systems. It will also be necessary to develop the methods of specialists who 
will be responsible for creating a comprehensive and efficient information system. 
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